podman kube play symlink traversal vulnerability — CVE-2025-9566
GitHub · GitHub · CVE-2025-9566
ID
CVE-2025-9566
CVE-2025-9566
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.1
8.1
EPSS
0.00059
0.00059
Summary
### Impact The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target path not the contents that will be written to the file. The contents are defined in the yaml file by the end user.…
Product
go: github.com/containers/podman/v5 | go: github.com/containers/podman/v4
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.